SHARE

Is Google Analytics compliant with GDPR?

From May 2018 the new General Data Protection Regulations (GDPR) will come into force in the European Union, causing all marketers and data engineers to re-consider how they store, transmit and manage data – including Google Analytics.

If your company uses Google Analytics, and you have customers in Europe, then this guide will help you check compliance.

The rights enshrined by GDPR relate to any data your company holds which is personally identifiable: that is, can be tied back to a customer who contacts you. The simplest form of compliance, and what Google requires in the GA Terms of Use, is that you do not store any personally identifiable information.

Imagine a customer calls your company and using the right of access asks what web analytics you hold on them. If it is impossible for anyone at your company (or from your agencies) to identify that customer in GA, then the other right of rectification and right of erasure cannot apply.

Since it is not possible to selectively delete data in GA (without deleting the entire web property history) this is also the only practical way to comply.

The tasks needed to meet depends on your meaning of ‘impossible to identify’!

Basic Compliance

Any customer data sent ‘in the clear’ to GA is a clear break of their terms, and can result in Google deleting all your analytics for that period.

This would include:

User names sent in page URLs

Phone numbers captured during form completion events

Email addresses used as customer identifiers in custom dimensions

If you’re not sure, our analytics audit tool includes a check for all these types of personally identifiable information.

You need to filter out the names and emails on the affected pages, in the browser; applying a filter within GA itself is not sufficient.

But I prefer a belt-and-braces approach to compliance, so you should also look at who has access to the Google Analytics account, and ensure that all those with access are aware of the need not to capture personal data and GDPR more generally.

You should check your company actually owns the Google Analytics account (not an agency), and if not transfer it back.

At the web property level, you should check only a limited number of admins have permission to add and remove users, and that all the users only have permission to the websites they are directly involved in.

Or you could talk to us about integrations with your internal systems to automatically add and remove users to GA based on roles in the company.

Get the Littledata app

Full Compliance

Other areas which could possibly be personally identifiable and you may need to discuss are:

IP addresses

Postcodes/ZIP codes

Long URLs with lots of user-specific attributes

The customer’s IP address is not stored by Google in a database, or accessible to any client company, but it could potentially be accessed by a Google employee. If you’re concerned there is a plug-in to anonymise the last part of the IP address, which still allows Google to detect the user’s rough location.

ZIP codes are unlikely to be linked to a user, but in the UK some postcodes could be linked to an individual household – and to a person, in combination with the web pages they visited. As with IPs, the best solution is to only send the first few digits (the ‘outcode’) to GA, which still allows segmenting by location.

Long URLs are problematic in reporting (since GA does not allow more than 50,000 different URL variants in a report) but also because, as with postcodes, a combination of lots of marginally personal information could lead to a person. For example, if the URL was

This could allow anyone viewing those page paths in GA to identify the person.

The solution is to replace long URLs with a shortened version like

mysite.com/form

And for bonus points…

All European websites are required to get visitors to opt in to a cookie policy, which covers the use of the GA tracker cookie.

But does your site log whether that cookie policy was accepted, by using a custom event?

Doing so would protect you from a web-savvy user in the future who wanted to know what information has been stored against the client ID used in his Google cookie. I feel this client ID is outside the scope of GDPR, but guaranteeing that the user on GA can be linked to opt-in consent of the cookie will help protect against any future data litigation.

The final area of contention is hashing emails. This is the process used to convert a plain email like ‘me@gmail.com’ into a unique string like ‘uDpWb89gxRkWmZLgD’. The theory is that hashing is a one-way process, so I can’t regenerate the original personal email from the hash, rendering it not personal.

The problem is that some common hashing algorithms can be cracked, so actually the original email can be deduced from a seemingly-random string. The result is that under GDPR, such email hashes are considered ‘pseudonymized’ – the resulting data can be more widely shared for analysis, but still needs to be handled with care.

For extra security, you could add a ‘salt’ to the hashing, but this might negate the whole reason why you want to store a user email in the first place – to link together different actions or campaigns from the same user, without actually naming the user.

There are ways around that strike a compromise. Contact Littledata for a free initial consultation or a GDPR compliance audit.

Edward

Founder of Littledata, Technical Lead and Product Consultant. He has broad experience helping companies with business strategy, product development and technology management.

Subscribe to our blog

Related posts

If you're a Shopify store manager, one of your biggest questions should be 'which campaigns lead to sales?'. We looked at data from 10 Shopify Plus customers to see whether the sales by traffic source report can be trusted.
Under the Shopify store admin, and Analytics > Reports tab, you can (in theory) see which sessions and sales came from which traffic sources.
BUT this sales by traffic source report is broken. Looking at 180,000 orders for 10 stores in Q4 2018, here are the marketing channels which Shopify Analytics says brought the traffic:
Direct 83.5%Social 9%Search 4.5%Unknown (other websites, not social or search) 3%Email ~0.1%
And using comparative data from Google Analytics we know this is all wrong. Here's a comparison of Shopify's attribution to Google Analytics last-click attribution of sales for one of these customers:
Marketing attribution comparison for 700 orders
Shopify
Google Analytics
Direct
99%
43%
Search (Paid + Organic)
0.6%
7%
Social
0.4%
10%
Email
-
25%
Affiliates
-
15%
Here's why it's broken
'Direct' traffic is when the source is unknown. But for Shopify's report this means where the source of the last session is unknown - the user most probably visited a search ad or product review previously. Having only 1% visibility on your marketing performance is just not acceptable!We know that tagged Facebook traffic alone represents 7% of traffic for the average store, so 10% of sales from Social is more normal. Social also brings more than the actual sales in terms of visibility and influencers.Google generates billions of pageviews a month for ecommerce stores. If your site gets only 1% of its traffic from search, we'd be very surprised! Including paid search this site is still well below the 40% average. (Check out our 6 essential benchmarks for Shopify stores.)Monthly emails and personalised retargeting emails are now a staple of online marketing, and we know all the customers in this analysis use email marketing of some form - including for new product launches, discounts and cart abandonment campaigns. The problem is, it's unlikely to be the only campaign which brought customers, so it gets drowned out by other 'last click' channels. The solution: multi-channel attribution.Affiliates are a really important channel to get right, as they are paid based on the sales attributed to them. Why should you rely solely on the report the affiliate marketer gives you, and not see the same numbers in Google Analytics?
So don't leave your marketing analytics to guess-work! Try the Littledata app to connect Shopify with Google Analytics on a free trial today. All paid plans include unlimited connections, to ensure accurate marketing attribution for sales via ReCharge (subscriptions), CartHook (one-page checkout), Refersion (affiliates) and more.

The truth is that Google Analytics and Shopify need a little help to play well together. Most marketers use Google Analytics to track performance, but having a good data collection setup -- even for basic essentials like transactions and revenue -- is harder than it looks.
As a Partner Manager at Littledata, I work with a wide variety of apps and agencies, especially Shopify Plus Partners, who are in turn working with marketing managers and ecommerce directors. One of the most frequently asked questions I get from those marketers is “Why don’t my transactions in Google Analytics match those in Shopify?”
So in this article I’d like to take you on a journey, explaining what could cause this, how it can affect marketing and how to get accurate data that matches your actual money in the bank.
Top 6 reasons for inaccuracy
There are many reasons for differences in tracking results, but let’s take a look at the top 6 reasons.
1) Some orders are never recorded in Google Analytics
Usually, this happens because your customer never sees the order confirmation page, and most commonly this is caused by payment gateways not sending users back to the order thank you page.
2) The Analytics / Tag Manager integration has some errors
Shopify has an integration with Google Analytics but it is a pretty basic one, tracking just a few of all the possible ecommerce events and micro-moments required for a complete picture. Although Shopify’s integration is meant to work for most standard websites, there are those who build a more personalised theme. In which case they would require a custom integration with Google Analytics. (Here’s what you can track with Littledata’s Shopify app)
3) A script in the page prevents tracking to work on your order thank you page
Many websites have various dynamics on the thank you page in order to improve user experience and increase retention. But these scripts can sometimes fail and create a domino effect preventing other modules to execute. Such errors can stop Google Analytics from tracking the event.
4) The user has opted out from Google Analytics tracking
This instance is not encountered as often, but it’s worth mentioning that some users can opt out of Google Analytics tracking with the help of a simple browser add-on. Features like this work by adding bits of JavaScript code into every website the user visits which will prevent the Google Analytics tracking code from capturing user-related data. This also means that GA will not drop any cookie nor will send any data to its servers.
[subscribe heading="Fix tracking automatically" button_text="Get the Littledata app"]
5) Too many products included in one transaction
Every time a page on your website loads, Google Analytics sends a hit-payload to its servers which contains by default a lot of user data starting from source, path, keywords etc. combined with the data for viewed or purchased products (name, brand, category, etc). This data query can get quite long if the user adds products with long names and descriptions. But there is a size limit for each hit-payload of 8kb, which can include approx. 8192 characters or information for about 20 products. Where this limit is reached, Google Analytics will not send the payload to its servers, resulting in lost purchase data.
6) Too many interactions have been tracked in one session
This inconsistency is not encountered as often, but it needs to be taken into account when setting up Google Analytics tracking. One of Google Analytic’s limitations for standard tracking is that a session can contain only 500 hits. This means that interactions taking place after the hit limit is reached will be missed by Google Analytics.
How a data mismatch damages your bottom line
We have found that 8 out of 10 Shopify merchants have only a 70 - 80% accuracy rate for transactions and revenue in Google Analytics mostly due to the reasons mentioned above. In other words, 80% of Shopify merchants are missing at least 20% transaction data!
Statistically, small or even medium-sized merchants dealing with four-figure monthly revenue can be very affected by the missing data because they are more likely to take bad marketing decisions based on segmented data. Hyper-segmentation is counterproductive if you’re working with bad data.
And for larger business which rely heavily on Google Analytics to make data-driven decisions, accuracy is an absolute must. Imagine having a 20% inaccuracy margin when dealing with six or seven figure monthly revenue! It kind of puts things into a different perspective, right?
It would be quite impossible to know how much to invest & re-invest in marketing without knowing the actual ROI.
But wait! There’s an easy fix
Littledata’s Shopify app can automatically fix most of the tracking inconsistencies mentioned above. Here’s how our app works, it's like magic.
First, the app adds a DataLayer on your website containing all the Enhanced Ecommerce events. Then it inserts a tracking script on each layout which captures every fired event as soon as it occurs, and then using Server Side tracking, the app listens for all transactions to ensure 100% accuracy.
In addition to the guaranteed transaction accuracy, Littledata’s tracker attributes each sale by source together with granular user and product data. The app also sends custom information in 4 custom dimensions to understand KPIs regarding lifetime value (LTV).
Sound pretty geeky? It is. But the cool part is that the app uses automation and machine learning to do all the heavy lifting for you, so you can focus on growing your business instead of worrying about tracking issues.
And the tech extends to all the apps you use. We include smart connections with apps like ReCharge and Refersion, to ensure accurate data about every marketing channel and product mix, including subscriptions. For example, our ReCharge connection automatically tracks both first-time payments and recurring transactions. This gives you accurate sales data and marketing attribution for those sales.
Compare different tracking methods
I know it may sound too good to be true, and this is why we offer a 14-day free trial so you can test the results by creating a Test Property in your Google Analytics account and compare data between Shopify’s standard tracker and Littledata’s advanced solution.
Once you have accurate data, you can start benchmarking against other Shopify sites and optimising your website with data-driven decision making.
Questions? Littledata is here to help. We built our smart ecommerce analytics app to simplify everything, and with a clear picture of your ecommerce data and access to automated optimization tools you can truly take your business to the next level.
Are you ready for accurate data?